org.apache.hadoop.security.authentication.server

Class KerberosAuthenticationHandler

java.lang.Object

org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler

Direct Known Subclasses:

AltKerberosAuthenticationHandler

public class KerberosAuthenticationHandler
extends Object
implements AuthenticationHandler

The KerberosAuthenticationHandler implements the Kerberos SPNEGO authentication mechanism for HTTP.

The supported configuration properties are:

• kerberos.principal: the Kerberos principal to used by the server. As stated by the Kerberos SPNEGO specification, it should be HTTP/${HOSTNAME}@{REALM}. The realm can be omitted from the principal as the JDK GSS libraries will use the realm name of the configured default realm. It does not have a default value.
• kerberos.keytab: the keytab file containing the credentials for the Kerberos principal. It does not have a default value.
• kerberos.name.rules: kerberos names rules to resolve principal names, see KerberosName.setRules(String)

Field Summary

Fields

Modifier and Type	Field and Description
static String	KEYTAB Constant for the configuration property that indicates the keytab file path.
static org.slf4j.Logger	LOG
static String	NAME_RULES Constant for the configuration property that indicates the Kerberos name rules for the Kerberos principals.
static String	PRINCIPAL Constant for the configuration property that indicates the kerberos principal.
static String	TYPE Constant that identifies the authentication mechanism.

Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

WWW_AUTHENTICATE

Constructor Summary

Constructors

Constructor and Description
KerberosAuthenticationHandler() Creates a Kerberos SPNEGO authentication handler with the default auth-token type, kerberos.
KerberosAuthenticationHandler(String type) Creates a Kerberos SPNEGO authentication handler with a custom auth-token type.

Method Summary

Methods

Modifier and Type	Method and Description
AuthenticationToken	authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) It enforces the the Kerberos SPNEGO authentication sequence returning an AuthenticationToken only after the Kerberos SPNEGO sequence has completed successfully.
void	destroy() Releases any resources initialized by the authentication handler.
protected String	getKeytab() Returns the keytab used by the authentication handler.
protected Set<KerberosPrincipal>	getPrincipals() Returns the Kerberos principals used by the authentication handler.
String	getType() Returns the authentication type of the authentication handler, 'kerberos'.
void	init(Properties config) Initializes the authentication handler instance.
boolean	managementOperation(AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) This is an empty implementation, it always returns TRUE.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

public static final org.slf4j.Logger LOG

TYPE

public static final String TYPE

Constant that identifies the authentication mechanism.

See Also:

Constant Field Values

PRINCIPAL

public static final String PRINCIPAL

Constant for the configuration property that indicates the kerberos principal.

See Also:

Constant Field Values

KEYTAB

public static final String KEYTAB

Constant for the configuration property that indicates the keytab file path.

See Also:

Constant Field Values

NAME_RULES

public static final String NAME_RULES

Constant for the configuration property that indicates the Kerberos name rules for the Kerberos principals.

See Also:

Constant Field Values

Constructor Detail

KerberosAuthenticationHandler

public KerberosAuthenticationHandler()

Creates a Kerberos SPNEGO authentication handler with the default auth-token type, kerberos.

KerberosAuthenticationHandler

public KerberosAuthenticationHandler(String type)

Creates a Kerberos SPNEGO authentication handler with a custom auth-token type.

Parameters:

type - auth-token type.

Method Detail

init

public void init(Properties config)
          throws javax.servlet.ServletException

Initializes the authentication handler instance.

It creates a Kerberos context using the principal and keytab specified in the configuration.

This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

Specified by:

init in interface AuthenticationHandler

Parameters:

config - configuration properties to initialize the handler.

Throws:

javax.servlet.ServletException - thrown if the handler could not be initialized.

destroy

public void destroy()

Releases any resources initialized by the authentication handler.

It destroys the Kerberos context.

Specified by:

destroy in interface AuthenticationHandler

getType

public String getType()

Returns the authentication type of the authentication handler, 'kerberos'.

Specified by:

getType in interface AuthenticationHandler

Returns:

the authentication type of the authentication handler, 'kerberos'.

getPrincipals

protected Set<KerberosPrincipal> getPrincipals()

Returns the Kerberos principals used by the authentication handler.

Returns:

the Kerberos principals used by the authentication handler.

getKeytab

protected String getKeytab()

Returns the keytab used by the authentication handler.

Returns:

the keytab used by the authentication handler.

managementOperation

public boolean managementOperation(AuthenticationToken token,
                          javax.servlet.http.HttpServletRequest request,
                          javax.servlet.http.HttpServletResponse response)
                            throws IOException,
                                   AuthenticationException

This is an empty implementation, it always returns TRUE.

Specified by:

managementOperation in interface AuthenticationHandler

Parameters:

token - the authentication token if any, otherwise NULL.

request - the HTTP client request.

response - the HTTP client response.

Returns:

TRUE

Throws:

IOException - it is never thrown.

AuthenticationException - it is never thrown.

authenticate

public AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request,
                               javax.servlet.http.HttpServletResponse response)
                                 throws IOException,
                                        AuthenticationException

It enforces the the Kerberos SPNEGO authentication sequence returning an AuthenticationToken only after the Kerberos SPNEGO sequence has completed successfully.

Specified by:

authenticate in interface AuthenticationHandler

Parameters:

request - the HTTP client request.

response - the HTTP client response.

Returns:

an authentication token if the Kerberos SPNEGO sequence is complete and valid, null if it is in progress (in this case the handler handles the response to the client).

Throws:

IOException - thrown if an IO error occurred.

AuthenticationException - thrown if Kerberos SPNEGO sequence failed.